Traditional businesses today need to increase their agility to withstand the competitive pressures of faster, cloud-based start-ups. Increased speed and efficiency of application development through DevOps processes must not, however, come at the expense of security.
The DevSecOps approach emphasizes the need to incorporate security measures from the beginning of the development process, ensuring that security is a shared responsibility.
Conscious Security Breaches
This year, there have been several cases where companies revealed sensitive data. This happened because they misconfigured their S3 buckets or cloud databases on purpose.
In a recent study, researchers from F5 Labs analysed cases that have come to light since 2017, in which companies exposed cloud resources due to conscious security issues. The growth rate increased by an alarming 200 percent between 2017 and 2018.
Why would anyone consciously endanger the security of applications? The results show that the reasons are rarely on the operational side. Database administrators and engineers focus on following security guidelines.
It may happen, however, that product developers fail to integrate existing security features. This is often done to save time in development and so as not to cause or discover other errors.
This may result in developers creating applications with poorly configured security features. This is not necessarily done with the intention of harming the company or the users.
Rather, they may not realise or understand the potential consequences, or they may assume that a security breach is unlikely to occur.
Involve All IT Teams
As a result, companies must use the DevSecOps approach to implement proven security measures when creating applications. All IT teams have to be involved – from development through to testing and security, as well as operation, network, and infrastructure.
These teams need to transform their previously silo-based culture, including processes and tools, in line with the cross-departmental approach. This is the only way they can ensure that they deliver high-security code while meeting development speed and efficiency requirements, which is essential in rapid application development.
Developers must be in the position to trigger tests automatically. This helps in identifying code quality trends, sharing test results, creating repeatable tests, and enforcing test policies. In addition, they prevent development from being decelerated by manual unit tests.
With automatic unit tests, developers can ensure not only higher speed and efficiency, but also the necessary quality. As they detect errors at an early stage, the errors are not dragged along in the software development lifecycle, where they become increasingly difficult and expensive to fix.
Five Simple Steps
The seamless integration of SecOps, DevOps, and NetOps using a declarative approach, combined with the inclusion of Role-Based Access Control (RBAC) – a multi-user access control process – is considered the principal discipline in the rapid development of secure applications.
Fortunately, there are a variety of simple measures that companies can implement in advance to improve security without compromising speed. Companies should pay particular attention to the following five steps if they do not want to become part of a negative headline as a result of a security incident.
1. Operate Components Internally
Today, 80 to 90 percent of company applications comprise third-party components. This has been shown by various studies. Very often, these components are loaded with requests from external locations.
To reduce latency and increase performance, they are excluded from existing source code analysis scans. Companies mistakenly assume that the external components are automatically secured and trusted.
However, one of the ways to exploit vulnerabilities is to infiltrate a software container with malware, which is subsequently downloaded without further testing and used in an application.
The same applies to UX components loaded by third parties. Therefore, whenever possible, companies should host third-party components on their own website to reduce the risk of tampering. Anyone who thinks this is not really necessary should read this article about compromised ESLint packages discovered in 2018.
2. Scan Components
In principle, all third-party components may have vulnerabilities. If they are part of the application, they should also be considered in the implemented security processes. After following step one, these components can be easily incorporated into the testing processes within the context of the CI/CD pipeline.
When checking components for vulnerabilities, it should always be remembered that the entire code – no matter where it is executed – must be checked for potential risks.
3. Lock the Door
The third step consists of a simple but effective means of preventing attackers from gaining control of the environment. Whether it’s a web, application, database, middleware server, or a container orchestration environment: personal access credentials must always be required to access administrative consoles.
This not only applies to containers but also to all public storage locations and cloud applications in use. In fact, many security incidents result from failures to secure cloud consoles and storage devices.
4. Hide the Key
When you lock a door, you don’t put the key on the doormat where it’s visible to anyone. Security management requires a certain amount of work to be done properly. However, it is also extremely important to protect applications and processes from unauthorised access.
Businesses should not store credentials and other classified information such as keys and certificates in files stored in publicly accessible locations. These locations should also not be used for key management. The consequences of not handling private data correctly can be seen in the Uber incident.
5. Secure APIs
APIs receive user input and forward it on to applications. This information should fall under the highest security level as, in principle, user input can never be trusted. Businesses should therefore ensure that they do not use APIs to easily transfer data to internal applications or microservices.
You must examine and secure APIs with the same care as your own applications. An overview of significant API violations is provided by this Forbes article.
Conclusion
These five simple steps are a crucial foundation for companies to increase their security and supplement their existing procedures with additional measures. These include, for example, the integration of IT teams into a comprehensive, holistic approach to security, automated unit tests, and Role-Based Access Control. By adopting DevSecOps practices and focusing on rapid application development, companies can ensure that they can quickly develop secure applications while maintaining the integrity and security of their systems.
